The Domain Name System (DNS) is sometimes called the “phone book” of the Internet. It maps the names used by humans (e.g., www.microsoft.com) to IP addresses used by computers (e.g., 23.195.11.179). One challenge facing Internet-facing DNS systems is the threat of a large-scale DDoS attack. A DDoS attack is an attempt to make a service (e.g., a website) unavailable by bombarding one or more servers with more traffic than the server(s) can handle.
An Edge-Origin DNS architecture is based on an architecture commonly used for content delivery networks (CDNs). It uses a set of Internet-facing DNS servers (the Edge), which answer DNS queries using data from a local cache. This is connected to a back-end set of DNS servers (the Origin) containing all DNS records. When a query is received at the Edge, the Edge first checks to see if its cache already contains the necessary response. If so, the response is returned. If not, the Edge calls the Origin to retrieve the necessary DNS records, caches them, and returns the response. One advantage of an Edge-Origin architecture is that it separates query scale (handled by the Edge) from number-of-records scale (handled by the Origin).
In an Edge-Origin DNS architecture, negative responses (i.e., responses where the name in the query does not match an existing record) and wildcard DNS records are not cached at the Edge. Accordingly, queries calling for a negative response or wildcard DNS record are passed to the Origin, potentially overloading the Origin.
The background description provided here is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.